From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 21 Feb 2011 10:33:05 -0500
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version
In-Reply-To: <1298300935.9676.8.camel@tesla.lan>
References: <4D5E97A6.1040603@redhat.com>	<1298092023.3101.48.camel@tesla.lan>
	<4D62814D.6010301@redhat.com> <1298300935.9676.8.camel@tesla.lan>
Message-ID: <4D6285B1.6010207@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 10:08 AM, Guido Trentalancia wrote:
> Good afternoon Miroslav !
> 
> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote:
>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
>>> Hello Miroslav !
>>>
>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>>>>
>>>>       * dmesg reads /proc/version
>>>>       * dmesg needs to access to abrt files
>>> I couldn't find any reference in the source code for dmesg from
>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
>>> reads /proc/version".
>>>
>>> Nor I have any indication from the audit logs on the test system I am
>>> running that dmesg ever required that permission.
>>>
>>> Only mount needs to stat() /proc/version.
>>>
>>> So, where did you get that from ?
>> There was a bug saying
>>
>> type=AVC msg=audit(1293078612.406:8): avc:  denied  { read } for  pid=2405
>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016
>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
>> tclass=file
> 
> That's not a bug. It's an AVC denial. In other words, SELinux is
> preventing some sort of operation.
> 
> It still sounds very odd to me.
> 
> In any case, I got curious about this issue and I went looking at
> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am
> quite sure that such operation is not in the source code for dmesg.
> 
> Look by yourself, the code is so short ! It's only about calls to
> klogctl().
> 
> Hope it helps. But let's quit this topic now, because I believe it is
> off-theme for this list.
> 
> Regards,
> 
> Guido
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

There is a possiblity that the app/domain that executed dmesg, leaked an
open file descriptor for read to dmesg, and that is being checked on exec.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ihbEACgkQrlYvE4MpobOEGgCgxoT+dRkO85ax4lb59k/u5/4I
9G8AoIW0OZRT/sesrsbYtHExJNkUWvoP
=7ufE
-----END PGP SIGNATURE-----